[RPZ] RPZ and MX

Vernon Schryver vjs at rhyolite.com
Fri Jun 1 16:00:19 UTC 2012

> From: John Hascall <john at iastate.edu>

> Our primary aim in using RPZ is to protect web users
> by directing them to a walled garden.
> It appears that RPZ is also affecting MX records
> in the blacklisted zones.
> Is there a way to exempt MX records from the
> RPZ process?
> We recognize that this does present a risk as
> it would provide a possible mechanism for
> extant malware to "phone home".

The short answer is that RPZ policy triggers don't distinguish MX
from A or other resource record types.

However, the question raises other questions.

Say MX records were not affected by RPZ--then what?  Aren't MX
records almost always used to look up A records that are usually
related (obviously or not) to the MX qname?  If MX records were
excempted, wouldn't the RPZ blacklisting for HTML make most such
MX records point to SMTP servers in that walled garden?

Are hosts running HTML clients (browsers) that might be redirected to
a walled garden likely to legitimately use any MX records other than
those for a nearby mail submission agent (MSA)?  Should vulernable
personal computers be sending mail outside the organization via the
organization's mail system and so the organization's outgoing filters
to ensure that they are not sending spam, perhaps after a botnet
infection?  If so, the MX (and other) records for the organization
could be exempted from RZP rewriting and they'd never notice that
blacklisted MX records get changed by RPZ into walled garden CNAMEs.

In other words, why not put an MSA in walled garden along with
the HTML server?

What I'm trying to ask might be more clear if the phrase "direct
to mx spam" were not one of my pet peeves.  The phrase bugs me
because *all* SMTP email is sent "directly" to some "mx" or mail
exchanger when it leaves the originating mail user agent (MUA).  No
SMTP client (mail sender) can know whether the SMTP server it's
talking to is the mail delivery agent or yet another in a chain of
mail exchangers.  And then there is the related, irritating old
zombie idea that DNS MX records are required.  When there are no
MX records, A or AAAA records must be used.  See section 5.1 of RFC
5321 and similar words in older RFCs.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list